A method, system and computer program product for assessing information security
interviews users regarding technical and non-technical issues. In an embodiment,
users are interviewed based on areas of expertise. In an embodiment, information
security assessments are performed on domains within an enterprise, the results
of which are rolled-up to perform an information security assessment across the
enterprise. The invention optionally includes application specific questions and
vulnerabilities and/or industry specific questions and vulnerabilities. The invention
optionally permits users to query a repository of expert knowledge. The invention
optionally provides users with working aids. The invention optionally permits users
to execute third party testing/diagnostic applications. The invention, optionally
combines results of executed third party testing/diagnostic applications with user
responses to interview questions, to assess information security. A system in accordance
with the invention includes an inference engine, which may include a logic based
inference engine, a knowledge based inference engine, and/or an artificial intelligence
inference engine. In an embodiment, the invention includes an application specific
tailoring tool that allows a user to tailor the system to assess security of information
handled by a third party application program.
